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^ ■ 1 Introduction 

j_j ■ In cryptography, one is interested in functions F : ¥2^^ which are highly 

I nonhnear. There are basically two concepts to measure the linearity of a function: 

We may use the Walsh transform (which is a special case of the Discrete Fourier 
transform) or we may use differential properties of F. These two concepts yield to 
the notion of almost bent (AB) and almost perfect nonlinear (APN) functions. Not 
many examples of such functions are known, and it was an open problem to decide 
whether the list of known APN and AB functions is complete. Moreover, all the 
examples constructed so far have been equivalent to power mappings. In this paper 
we discuss the mapping 

F : F210 F210 , x^x^ + ux^'^ 

where u is a suitable element in the multiplicative group F*io of F210, see Theorem 
121 It turns out that these mappings are inequivalent to any power mappings, hence 
they are new. This is the first example of a new APN mapping for several years, 
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see [S], and it is the first example of a mapping which is inequivalent to any power 
mapping. Moreover, the mapping is crooked or, in other words, differentially affine. 

We emphasize that our function is inequivalent to a power mapping in the general 
way described in 0] and |2]- It seems that not much attention has been paid so far 
to the question whether the known classes of APN or AB functions are inequivalent 
in this general sense or not. We are not aware of any reference that shows whether 
the known classes are equivalent or not. 

In this paper, we use a dimension argument (that has not been used before in or- 
der to distingish APN or AB functions) to prove that the function mentioned above 
is really new. This argument is motivated by the dimension arguments that are used 
in order to distinguish difference sets, and it may be applied also to distinguish the 
known classes of APN and AB mappings. 

Throughout this paper, let F2™ denote the finite field with 2™ elements. This 
field is also a vector space ¥^ of dimension m over F2 , or simply an elementary 
abelian group of order 2™. The differential and the linear properties of a function 
F are only related to the additive structure of F2™ and have nothing to do with the 
multiplicative group. However, in order to construct functions with good linear and 
differential properties, we will use the multiplication in . For a description of 
the differential and linear properties of functions F, it is enough to consider F to be 
a mapping between two abelian groups, no matter whether these are the additive 
groups of finite fields or not. 

The paper is organized as follows. In the next Section, we describe the notion 
of AB and APN and crooked mappings. In Section |31 we discuss the problem 
to determine the equivalence classes of functions. In the final Section, we apply 
the results of Section O to show that our new APN function is inequivalent to the 
known ones. We conclude the paper with some interesting open problems and 
related questions. 

2 Nonlinear functions 

Let U and V be arbitrary groups. If F : [/ — > F is a function, then we define the 
graph Gf of F as follows: 

Gf := {{x,F{x)) : x e U} C U x V. 

We define 

SFia,b):^\{{x~y,F{x)-F{y)) = ia,b) : x,yeU}\. 
Note that Spia, b) is the number of solutions {x, y) to the equations 
(1) x^y^a, F{x)~F{y)^b 

or the number of solutions 

F{y + a)^F{y) = b. 
If F is linear (hence U and V are the additive groups of vector spaces) then 

5F{a,b) e {0,|C/|}. 
A function F is differentially highly nonlinear if 

ViF) := max SF(o,,b) 

aeU,beV,{a,b)^{0,Q) 

is small. 
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We are now going to describe the differential properties of F in terms of group 
algebras. Let G be an arbitrary multiplicatively written group, and let K[G] denote 
the group algebra of G over the field K. The group algebra consists of the formal 
sums 

geG 



where ag G K. We can define an addition 




geG 



and a multiplication 



H «sS • H =J2J2(°'h- K-^g)9 

ygeG ) \seG / g£Gh£G 

In order to distinguish the addition in K[G] from the composition of elements in 
G, we prefer to write the group multiplicatively if we use group algebra notation. 
However, the groups that we are really using are always additivcly written. 

If D C G, wc identify D with the element X^gGD f ' which we denote, by abuse of 
notation, D again. Moreover, if A = X^^gc cigg, then A^~^^ := ^g^Q agg~^. Using 
this notation, we obtain easily the equation 

GfG^"'^= SF{a,b){a,b). 

{a,b)eUxV 

This shows that the dpia, bys are the coefficients of the elements in GpG^p^K The 
set (or multiset if we also count multiplicities) 

{Sp^a.b) : {a,b)GUx V} 

is called the differential spectrum of F. 

Characters are an important concept in the theory of group algebras. We re- 
strict ourselves to abclian groups, otherwise wc have to replace characters by higher 
dimensional representations. Characters are precisely the one-dimensional repre- 
sentations of a group G. 

A character is a homomorphism G C*. In the abelian case, there arc \G\ 
characters which form a group G which is isomorphic with G. The transformation 

is called the discrete Fourier transform. The character that maps every group 
element to 1 is denoted xo- 

We look at the case of functions F : U ^ V and the elements Gp € C[U x V]. 
If F is linear or affine linear, then Gp is a coset of a subgroup of U xV, and then 

x{Gf)€{0,±\U\}. 

This follows from the well known orthogonality relations for characters. Therefore, 
it is natural to call a mapping highly nonlinear if 

£JV{F) := _max |x(Gf)| 
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is small. The set (or multiset) of character values 

{x{Gf) : X(^U^} 

is called the Fourier spectrum of F. We may define the Fourier and the differential 
spectrum also for arbitrary sets yl C G or arbitrary group algebra elements A £ 
C[G]. 

Now let us look at the special case of elementary abelian 2-groups U and V. 
We return to the general case of abelian groups in the next section, since, in our 
opinion, the term "equivalence of functions" is best explained in this more general 
context. 

If U and V are elementary abelian 2-groups, then 6p{a, b) is always even hence 
we have 

(2) V{F) > 2 : 

The numbers (Si?(a, 6) are even since the two equations ^ have always an even 
number of solutions, you may just change x and y. We say that a function is 
almost perfect nonlinear (APN) if \U\ — \V\ and we have equality in (0). 
Similarly, one can show 

(3) CJ\f{F) > 2l^l/2. 

This can be proved easily using some well known properties of the discrete Fourier 
transform. If |[/| = = 2'", we have the improvement 

(4) CAf{F) > 2("+i)/2^ 

see 51]. Functions which satisfy Q with equality are called almost bent (AB), 
whereas functions which satisfy Q are called bent. Sometimes the term bent is 
reserved just for the case of functions with \V\ = 2. It is well known that AB 
functions (which can exist only in the case m odd) are APN. 

The development of the concept of nonlinearity does not make use of finite fields. 
However, in order to construct examples of APN and AB functions it is useful to 
equip U and V with the structure of a finite field. In this case, we can describe our 
mappings by polynomials. The degree of this polynomial will play an important 
role in the next section. 

The best studied functions are the power mappings x''. So far, all known con- 
structions of APN and AB functions are related to power mappings. It has been 
checked at least up to to = 15 (see 0) that the following table gives a complete list 
of power APN mappings on F2m: 



Table 1 

Known APN power functions on ¥2'^ ■ 





Exponents d 


Conditions 


Reference 


Gold functions 


2' + 1 


gcd{i, m) — 1, 1 < i < ^ 


9 , 14| 


Kasami functions 


22i _ 2' + 1 


gcd{i, m) — 1, 1 < i < ^ 


11 , ij] 


Welch function 


2' + 3 


m = 2t + 1 


7 


Niho function 


2' + 27 - 1, t even 

3t+l 

2' + - 1, t odd 


m = 2t + 1 


_6_ 


Inverse function 


22t _ ^ 


m = 2t + 1 


ini.iTi 


Dobbertin function 


2*' + 2-'* + 2^' -1- 2" - 1 


m — hi 


M 



It turns out that, in the odd dimension case, the Gold, Kasami, Welch and Niho 
functions are AB. The condition i < -^^^ in the Gold and Kasami case is not really 
restrictive: It just means that the functions with i > are affine equivalent to 
those with i < For a thorough discussion of the notion of equivalence, we 

refer the reader to Section O 

If a function is APN and bijective, then the inverse is also APN. The inverse 
functions are not included in the table above. 
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3 Equivalence of functions 



Let D = J2geG ^99 arbitrary element in the group algebra C[G], and let C 

be an automorphism of G. We define 

C{D) :-^a,/:(5). 

Obviously, the differential spectra of D and C{D) are the same, and also the Fourier 
spectra of D and C{D) are the same. For the statement about the Fourier spectrum 
note that the mapping 

is a character if x is a character. More generally, for g G, the elements Dg and 
CD have the same differential and Fourier spectra. 

Therefore it is natural to call two group algebra elements Di and D2 equivalent if 
there is an automorphism CoiG and a group element g & G such that C{Di) — D2g. 

Now we want to specialize this concept of equivalence to functions. This has 
been first done in Proposition 3, therefore we will call the notion of equivalence 
of functions that stems from the notion of equivalence of group algebra elements 
CCZ equivalence. 

F -.U ^ V and the corresponding group algebra elements Gp- The problem is 
that C{Gf) is not necessarily a group algebra element that correponds to a function 
F' -.U ^V. 

We call two functions Fi -.U and F2 U ^ V CCZ equivalent if there is 
an automorphism CoiU xV such that C{Gfi ) = Gp-^'d for some element g G U xV . 
This generalizes the concept of affine equivalence. The original definition of affine 
equivalence is as follows: 

Let U and V be elementary abelian groups of order 2'", i.e. the additive groups 
of verctor spaces over F2. We say that Fi : U ^ V , i — \ ,2 are affine equivalent if 
there are linear mappings Ci and £2 on ¥2'^ and elements a G [/, 6 £ 1/ auch that 

F2{x)^ C2{Fi{Ci{x + a))) + b. 

Proposition 1 Two functions Fi and F2 are affine equivalent if and only if they 
are CCZ equivalent via an automorphism C of U x V such that C{V) = V . 

Given two functions Fi and F2 it is sometimes easy to decide whether they 
are affine equivalent. It turns out that the algebraic degree of a function F is an 
affine invariant (we refer the reader to [11 for the precise definition of algebraic 
degree; it is the largest 2-weight of the exponents that occur in the polynomial 
representation of F). But it seems that the important question whether affinely 
inequivalent functions are CCZ equivalent has not been investigated. In ^2^, several 
classes of functions are constructed which are CCZ equivalent to the Gold power 
mapping but not affinely equivalent to any power mapping. This shows that CCZ 
equivalence is really a coarser equivalence relation than affine equivalence. As far 
as we know there is no proof that none of the APN mappings described in Table 1 
are CCZ equivalent. 

If TO is odd, it is known that the Fourier spectra of the inverse function and the 
Dobbertin function are different, hence these two functions arc not CCZ equivalent. 
Moreover, there spectrum has more than three values. However, the Gold, Kasami, 
Welch and Niho functions all have the same 3-valued Fourier spectrum, hence they 
can be distinguished from the inverse and the Dobbertin function, but they cannot 
be distinguished between themselves using the Fourier spectrum. 

In the case m even, the Fourier spectrum of the Gold and Kasami power func- 
tions are equal. It is always different from the spectrum of the Dobbertin function, 
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see It turns out that our new function has the same spectrum as Gold and 
Kasami. Therefore, in order to decide whether APN functions are CCZ equivalent 
or not, we have to find other invariants than just the Fourier spectrum. 

If F : [/ — > 1/ is an APN mapping (i.e. U and V are elementary abelian groups 
of order 2™), we define 

Af ^^^^ e C[G]. 



2 

We have (a, b) € Ap if and only if F{x + a) + F{x) = b has two solutions in x. If 
Fi and F2 are CCZ equivalent, then Ap-^ and Ap^ are obviously equivalent. Now 
we view Ap as an element in ¥2[U x V]. If Fi and F2 are CCZ equivalent, then 
Ap-^ and A^t'^ are also equivalent in ¥2[U x V]. Hence the dimension of the ideal 
generated hy Ap is invariant under CCZ equivalence. 

We note that the ideal generated hy Ap may be also viewed as the F2™ span 
of the following matrix A of size 2^"* x 2^™: We index the rows and columns with 
elements from U x V. We have 

_ J 1 if {a + u,b + v) e Ap 
A{a,b), iu.v) - I Q otherwise. 

4 The new APN function 

Theorem 2 Let uj be an element of order 3 in F210 . Let F25 denote the subfield of 
order 32 in F210 . The mapping 



(5) 



F : F210 F210 



„3 I ^36 



X I— > X + U ■ X 

is an APN mapping if and only if 

(6) u E {ujW;,} U {uj^F;,} 

This function is not CCZ equivalent to any power mapping. 

It is possible to give a "theoretical" argument why these functions have the APN 
property. Since this argument is quite involved, and since it does not really give 
insight why the function is APN, we skip it. The APN property of the function can 
be easily checked by computer. One can easily show that the 62 examples in Q 
are affine equivalent: In (jSJ, replace x by ax and then divide the resulting equation 
by to obtain 

ua^^ 

X y-^ x^ -\ ^ x^ + ua^^x^*^. 

But ua^^ satisfies ^ if and only u satisfies this condition (note 2^° — 1 = 3 ■ 11 • 31). 
The function has the interesting property to be crooked. This means that the 

sets 

Ha -.^ {F{x + a) + F{x) : a;eF2io} 

are affine hyperplanes in ¥2^ . We refer the reader to ^lEI for recent progress on 
the problem to classify crooked mappings. 

We want to distinguish our mapping from the known APN's. Table 1 shows 
that the only known APN mappings on F210 are (up to affine equivalence) 



X , X' 



Gold , x^"^ Kasami , x^^^ Dobbertin . 



As mentioned above, the Fourier spectrum of our new function is different from 
the Fourier spectrum of the Dobbertin function. This shows that our function is 
inequivalent to a:'^^^. 
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The function F is quadratic, therefore one may suspect that our function is 
affine or CCZ equivalent to one of the Gold power mappings. Since the Fourier 
spectrum of our function is the same as those of the Kasami and Gold function, we 
cannot use it to distinguish the functions. 

We computed the dimensions of the ideals Ip generated hy Ap for the Gold 
power functions and x^ as well as the Kasami power mapping x^^. The following 
table summarizes our results: 

Table 2 

Dimensions of the ideals Ip in F2 [F2^" x ¥2°] 



F 


dimension 




1804 


x'' 


1804 




5734 


Theorem 121 


1896 



This shows that our function is new. We can show that the power mappings x^ 
and x"^ on F210 are not affine equivalent, but according to Table 2, the dimensions 
of the corresponding ideals are the same. This shows that the dimension can not 
always be used as a criteria to distinguish mappings. 

It has been checked (by computer) that in finite fields of order F2n«, m < 15, 
there are no more power APN mappings besides those listed in Table 1. Therefore, 
our function is not CCZ equivalent to any power mapping. It was known before (see 
[2]) that there are functions which are not affine equivalent to any power mapping. 
Our example gives the first APN mapping which is not CCZ equivalent to any power 
mapping. 

We can also use another argument if we want to show just affine inequivalence 
to power mappings different from the Gold case: Our function is crooked, and it 
is known that the only crooked power mappings are quadratic, see |lci| . Hence 
the only chance to be affine equivalent is equivalence to the Gold power mapping, 
since affine equivalence preserves the property being crooked. This property is not 
preserved by CCZ equivalence! 

The example in Theorem El has been found through a computer search for APN 
binomials x'^'^ + ux'^^ on F2n. The search was complete in the range n < 10. Up to 
affine equivalence, the example in Theorem (21 is the only new APN binomial. We 
also found an example in F212 where we can show that the function is not affine 
equivalent to the Gold power mappings. 

Theorem 3 The mapping 

F' : F212 ^ F212 

X x"^ + u - x^^^ 

is an APN mapping if and only if 

we {x e F212 : order of x is divisible by 45 and divides 45 • 13} 

U {a; e F212 : order of x is divisible by 7 and divides 3 ■ 7 • 13}. 

The proof that the functions are not affine equivalent to the Gold power map- 
pings is rather involved and therefore omitted. We did not yet check the dimension 
of the ideal generated by Af> since the ambient space is too large (it has dimension 
2^''). We also found some more examples of binomials in larger fields where we are 
not yet able to prove that they are affine inequivalent to the known APN functions. 
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5 Summary and open problems 



In this paper, we reported about two new examples of APN functions in F210 and 
F212 . Both examples are quadratic, which implies that the functions are crooked. 
In both cases, the new functions are not affine equivalent to any power mapping, 
and in one case we know that the example is not CCZ equivalent to the Gold 
power mappings. Using computer assistance, we computed the dimensions of the 
ideals generated by for different functions F. These dimensions showed that 
the function on F210 is different from all previously known APN mappings. Since 
all APN power mappings on F210 are known, our function is not CCZ equivalent to 
any power mapping. 

We want to finish with the following open problems: 

• Show that the function in Theorem |21 is not CCZ equivalent to any of the 
known functions. 

• Try to generalize the examples. Perhaps, one can also use sums of more than 
just two Gold power mappings. 

• Give a theoretical proof that our new functions are not CCZ equivalent to the 
known ones. 

• Compute the ranks of the ideals generated hy Ap or Dp for the known classes 
of APN or AB mappings. 

• Show that the known APN or AB functions are not CCZ equivalent. 

• Find more invariants for CCZ equivalence. 
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Note 

After finishing this paper and making it available as a preprint, a new infinite series 
of APN functions has been constructed (L. Budaghyan, C. Carlet, P. Felke and G. 
Leander: An infinite class of quadratic APN functions which are not equivalent to 
power mappings, http//eprint. iacr.org/2005/359). The series covers some of 
the examples presented here. 
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